Original fix for Log4j flaw fails to fully protect against DoS attacks, data theft
Security experts are now urging organizations to quickly update to a new version of the Log4j logging framework that the Apache Foundation released Tuesday because its original fix for a critical remote-code execution flaw in the logging tool does not adequately protect against attacks in some situations.
According to the Apache Foundation, the Apache Log4j 2.15.0 version that it released last week to address the Log4j flaw (CVE-2021-44228) is “incomplete in certain non-default configurations” and gives threat actors a way to trigger a denial-of-service (DoS) attack on vulnerable systems.
“Note that previous mitigations involving configuration such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability,” the Apache Foundation said.
Meanwhile, security vendor Praetorian, among the first to exploit the Log4j flaw last Friday, today said the Log4j 2.15.0 version from last week was vulnerable to another issue as well: exfiltration of data under certain conditions.
Praetorian did not share the technical details of the research and said that the company had passed on its finding to the Apache Foundation.
“In the interim, we strongly recommend that customers upgrade to 2.16.0 as quickly as possible,” said Praetorian CEO Nathan Sportsman in a blog posted this afternoon.
Anthony Weems, principal researcher at Praetorian, says the Apache Foundation’s description about the Log4j 2.15.0 version restricting JNDI LDAP lookups to localhost by default is incorrect.
“We have a bypass for this localhost restriction that means that when a host is affected by CVE-2021-45046, you can exfiltrate [environment variables] via DNS,” Weems says.
The new developments mean that organizations that already downloaded Log4j 2.15.0 to address the original flaw (CVE-2021-44228) now will need to implement version 2.16.0 to mitigate the DoS issue tied to CVE-2021-4506.
To read the complete article, visit Dark Reading.